Linux appears to now expose /proc/sys/net/core/rmem_default to network namespaces that aren't the root network namespace.
I didn't fully bisect, but here's the behavior on my Linux 6.6 machine:
# stat /proc/sys/net/core/rmem_default
<works>
# ip netns add foo && ip netns exec foo stat /proc/sys/net/core/rmem_default
stat: cannot statx '/proc/sys/net/core/rmem_default': No such file or directory
On my Linux 6.11 machine:
# ip netns add foo && ip netns exec foo stat /proc/sys/net/core/rmem_default
File: /proc/sys/net/core/rmem_default
[...]
This breaks an assumption in isRootNS and therefore breaks sandboxes using Netstack in recent kernels.
starting container: setting up network: creating interfaces from net namespace "/proc/42845/ns/net":
cannot run with network enabled in root network namespace
ayushr2
commented
3 months ago
Description
Linux appears to now expose
/proc/sys/net/core/rmem_defaultto network namespaces that aren't the root network namespace.I didn't fully bisect, but here's the behavior on my Linux 6.6 machine:
On my Linux 6.11 machine:
This breaks an assumption in
isRootNSand therefore breaks sandboxes using Netstack in recent kernels.https://github.com/google/gvisor/blob/7d35643f0939d87999fe53b1b73929f5d996b08c/runsc/sandbox/network.go#L106-L118
https://github.com/google/gvisor/blob/7d35643f0939d87999fe53b1b73929f5d996b08c/runsc/sandbox/network.go#L154-L160
Steps to reproduce
runsc do echo hion a fresh Linux kernel:runsc version
docker version (if using docker)
uname
6.11.0-rc1+
kubectl (if using Kubernetes)
repo state (if built from source)
master
runsc debug logs (if available)
No response